Report Identifies Rise in Phishing-as-a-Service Assaults

Cybersecurity researchers at Trustwave are warning a few surge in malicious e-mail campaigns leveraging Rockstar 2FA, a phishing-as-a-service (PhaaS) toolkit designed to steal Microsoft 365 credentials.

The device poses a major risk, bypassing multifactor authentication (MFA) protections, even for customers with enhanced safety measures in place. These campaigns have been aimed toward common providers, together with Microsoft OneDrive, OneNote, Dynamics 365 Buyer Voice, Atlassian Confluence, and Google Docs Viewer, to host malicious hyperlinks or redirect customers to phishing websites.

“This marketing campaign employs an AiTM assault, permitting attackers to intercept consumer credentials and session cookies, which implies that even customers with multifactor authentication (MFA) enabled can nonetheless be weak,” wrote Diana Solomon and John Kevin Adriano at safety agency Trustwave.”Microsoft consumer accounts are the prime goal of those campaigns, as goal customers can be redirected to touchdown pages designed to mimic Microsoft 365 (O365) login pages.”

Rockstar 2FA represents a extra superior iteration of the DadSec, or Phoenix, phishing package, researchers mentioned. Microsoft has recognized the cybercriminal group behind the toolkit as Storm-1575. Marketed on platforms comparable to ICQ, Telegram, and Mail.ru, the phishing-as-a-service providing is obtainable by way of a subscription mannequin.

The toolkit is designed to bypass multifactor authentication (MFA) and harvest session cookies, whereas incorporating options to evade detection, comparable to antibot measures and absolutely undetectable phishing hyperlinks. It additionally permits customers to customise phishing themes and combine their campaigns with Telegram bots, making it a malicious device that wants little or no technical data.

The phishing package evades antispam filters by utilizing obfuscated hyperlinks hosted on respected platforms comparable to Microsoft OneDrive, Google Docs Viewer, and Atlassian Confluence. It additionally incorporates Cloudflare Turnstile antibot checks to forestall automated evaluation of its phishing pages.

As soon as victims are redirected, they encounter pretend login portals designed to imitate legit websites. Credentials entered on these pages are captured and despatched to an AiTM server, the place attackers can use the stolen data to hijack accounts by accessing session cookies.

In a single instance, Trustwave outlined an assault marketing campaign towards Microsoft OneNote customers, the place a seemingly legit e-mail is shipped to victims. This is the way it works:

The textual content seen within the e-mail physique is definitely contained in a picture. The picture is anchored with a hyperlink to a OneNote doc hosted on the 1drv[.]ms area. This image-based method helps attackers evade text-based detection mechanisms. This can be a frequent method that’s nonetheless seen in phishing samples at the moment.

Customers can be redirected to a OneNote web page entitled “Full Doc for Assessment”. This webpage shows an Adobe PDF emblem and a textual content hyperlink that results in the phishing touchdown web page.

Trustwave’s conclusion discovered that the rise of PhaaS platforms like Rockstar 2FA demonstrates the growing sophistication and accessibility of phishing campaigns. These instruments are enabling widespread credential theft and subsequent assaults, comparable to enterprise e-mail compromise.
In keeping with the safety agency, organizations are inspired to:

• Strengthen e-mail filtering and detection methods.
• Educate workers on phishing techniques and social engineering.
• Use behavioral analytics to establish uncommon account exercise.

For extra data, go to the Trustwave blog.